 |
Title: Self-hosting at home and privacy |
|
Author: Solène |
|
Date: 10 September 2024 |
|
Tags: privacy selfhosting life |
|
Description: In this blog post, you will learn that self-hosting your |
|
own services at home coud leak some information about you |
|
|
|
# Introduction |
|
|
|
You may self-host services at home, but you need to think about the |
|
potential drawbacks for your privacy. |
|
|
|
Let's explore what kind of information could be extracted from |
|
self-hosting, especially when you use a domain name. |
|
|
|
# Public information |
|
|
|
## Domain WHOIS |
|
|
|
A domain name must expose some information through WHOIS queries, |
|
basically who is the registrar responsible for it, and who could be |
|
contacted for technical or administration matters. |
|
|
|
Almost every registrar will offer you feature to hide your personal |
|
information, you certainly not want to have your full name, full |
|
address and phone number exposed on a single WHOIS request. |
|
|
|
You can perform a WHOIS request on the link below, directly managed by |
|
ICANN. |
|
|
 |
ICANN Lookup |
|
|
|
## TLS certificates using ACME |
|
|
|
If you use TLS certificates for your services, and ACME (Let's Encrypt |
|
or alternatives), all the domains for which a certificate was emitted |
|
can easily be queried. |
|
|
|
You can visit the following website, type a domain name, and you will |
|
immediately have a list of existing domain names. |
|
|
|
crt.sh Certificate Search |
|
|
|
In such situation, if you planned to keep a domain hidden by not |
|
sharing it with anyone, you got it wrong. |
|
|
|
## Domain name |
|
|
|
If you use a custom domain in your email, it is highly likely that you |
|
have some IT knowledge and that you are the only user of your email |
|
server. |
|
|
|
Using this statement (IT person + only domain user), someone having |
|
access to your email address can quickly search for anything related to |
|
your domain and figure it is related to you. |
|
|
|
## Public IP |
|
|
|
Anywhere you connect, your public IP is known of the remote servers. |
|
|
|
Some bored sysadmin could take a look at the IPs in their logs, and |
|
check if some public service is running on it, polling for secure |
|
services (HTTPS, IMAPS, SMTPS) will immediately give associated domain |
|
name on that IP, then they could search even further. |
|
|
|
# Mitigations |
|
|
|
There are not many solutions to prevent this, unfortunately. |
|
|
|
The public IP situation could be mitigated by either continuing hosting |
|
at home by renting a cheap server with a public IP and establish a VPN |
|
between the two and use the public IP of the server for your services, |
|
or to move your services to such remote server. This is an extract |
|
cost of course. When possible, you could expose the service over Tor |
|
hidden service or I2P if it works for your use case, you would not need |
|
to rent a server for this. |
|
|
|
The TLS certificates names being public could be easily solved by |
|
generating self-signed certificates locally, and deal with it. |
|
Depending on your services, it may be just fine, but if you have |
|
strangers using the services, the fact to accept to trust the |
|
certificate on first use (TOFU) may appear dangerous. Some software |
|
fail to connect to self-signed certificates and do not offer a |
|
bypass... |
|
|
|
# Conclusion |
|
|
|
Self-hosting at home can be practical for various reasons: reusing old |
|
hardware, better local throughput, high performance for cheap... but |
|
you need to be aware of potential privacy issues that could come with |
|
it. |
